Lenovo caves to FTC, will pay $3.5 million for Superfish damage

The FTC has reached an agreement with Lenovo, and the company will have to pay a fine to avoid more legal trouble over Superfish adware. Image: Lenovo.

On Tuesday, the Federal Trade Commission (FTC) announced it had reached a settlement on a lawsuit filed against Lenovo in 2015 for including preloaded software on their laptops that compromised users’ security. The Chinese company will pay $3.5 million in compensation to consumers in 32 states.

There were as many as 750,000 Lenovo computers sold between August 2014 and January 2015, a period during which all the laptop owners got a special treat in the form of VisualDiscovery, an adware program that used people’s information to sell them ads online.

Security researchers quickly discovered a critical security flaw that essentially gave hackers access to the users’ network. Lenovo stands by its position, claiming it had stopped selling the software at the time and that no laptops were compromised as a result of these alleged exploit.

What was the Superfish bug and how did it work?

If you bought a Lenovo laptop during the period established above, there is a chance your computer is running Superfish’s VisualDiscovery, a piece of software that provided a potential backdoor for hackers to spy on users’ traffic and online activities.

VisualDiscovery was packaged and preloaded with Lenovo laptops, so right out of the box people’s data was being ingested by Superfish and its commercial associates to feed users with dedicated ads.

At the same time, all of those workloads happened due to the fact that the program had root certificate access, which meant that tech savvy people could crack the certificate and just sit down and spy on the network. This eventually happened, and the FTC filed suit.

FTC’s fine is basically just a slap on Lenovo’s wrist

Revenue estimates suggest that those 750,000 laptops sold by Lenovo made the company anywhere between $375 million and $1 billion. Being fined just $3.5 million spread across 32 states is nothing short of ridiculous, and it goes to show just how profitable is to fake selective amnesia and turn a blind eye.

Those calculations are just the proceeds from hardware sales, not accounting for the deal the Chinese firm presumably had with Superfish to preload its software in brand laptops.

However, the implications of this settlement are what worry some people in the tech industry. The fact that a manufacturer can so blatantly get away with something like this, and without even admitting they were at fault or apologizing in the end.

The financial burden of going through with a scheme like this is almost nonexistent since $3.5 million out of the lowest potential sum of $375 million is virtually nothing for a deal from which users’ data was mined and networks were spied on to collect sensitive information.

“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” the company said in a statement.